Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Wednesday, 03 April 2019 19:49

Govt hosting strategy: duplication by the gallon and done in a hurry Featured

By
Govt hosting strategy: duplication by the gallon and done in a hurry Image by WikiImages from Pixabay

The Federal Government's release of a hosting strategy last week appears to be an attempt to prevent the issue of data sovereignty being raised as an election issue.

A statement from the Digital Transformation Minister Michael Keenan — who will be retiring from active duty at the election — said the strategy "provides a new framework that strengthens data sovereignty, supply chain and data centre ownership provisions to increase security, protect privacy and improve resilience of data infrastructure".

And, further, "This includes a requirement that data centre facilities that host high-value government data achieve certification as “sovereign” or “assured” data centres."

There was no mention of the fact that cloud providers, both Australian and from other countries, duly certified by the Australian Signals Directorate, can host government data of the highest security classification provided they have obtained Protected status.

Two American companies — Microsoft and Amazon Web Services — are among the six firms that can bid to store sensitive classified data. The others are Vault, Macquarie Government and SlicedTech (all Australian) and Dimension Data (South Africa).

Since the hosting strategy seemed to cut across the ASD's role as well, iTWire contacted the agency for clarification, asking: "On Friday, the government announced a new whole-of-government hosting strategy. It says, in part, 'This includes a requirement that data centre facilities that host high-value government data achieve certification as 'sovereign' or 'assured' data centres.

"How does this tie in with the certification of providers that ASD/ACSC does, giving them Protected and other status to host classified government data?"

The ASD's response was: "ACSC [the Australian Cyber Security Centre] has referred your inquiry to the Digital Transformation Agency (DTA) as best placed to respond directly to your questions in consideration of the whole-of-government hosting strategy."

When DTA was contacted and the same query posed, the agency did not provide any answer for the record.

iTWire understands that the push for a whole-of-government hosting strategy came about after a Sydney data centre, Global Switch, accepted Chinese investment for its parent company, Aldersgate Investments, back in 2016.

Aldersgate owns two data centres in Ultimo where it stores classified Australian government material, including sensitive Defence and intelligence files.

Both these data centres have secure gateways certified by the ASD and can be used for secure access by government offices.

According to a story that surfaced in 2017, the Australian Defence Department decided to end its relationship with Global Switch due to this.

Reliable sources in Canberra have told iTWire that a decision on a hosting strategy has been hanging fire since then, and was finally rushed through — like many other government initiatives which have been pinging the email inboxes of journalists over the past few weeks — with Prime Minister Scott Morrison signing off on it a few days before the news was announced.

And, say these sources, the media release was sent out late on Friday afternoon so that it would not attract much attention – an old ploy practised by politicians of every shade.

However, this strategy would bring the DTA into conflict with the ASD sometime down the track. The latter has certified both Microsoft and AWS to host sensitive classified government data – do they fit in with the profile delineated by the hosting strategy where it says "This includes a requirement that data centre facilities that host high-value government data achieve certification as 'sovereign' or 'assured' data centres?"

Adding to the problems, the DTA statement said a "new Digital Infrastructure Service will be established to manage data centre certification and ensure the ecosystem is supported by an effective and efficient network infrastructure. DTA will also work with industry to develop a genuine strategic partnership that recognises government as a single customer".

Looks like many hands will be trying to do the same work.

Microsoft has two data centres in Canberra and has been given the okay by the ASD to have staff from outside the country handle administrative IT tasks without security clearances. It serves its cloud platform Azure and the office suite, Office365, from these centres. But when it comes to Active Directory, a service which government also uses, this is served from Singapore.

Would a data centre in Singapore meet the requirement of being one that qualifies as sovereign or assured?

There are three aspects when it comes to data sovereignty – there is the physical aspect, the operational aspect and the legal jurisdiction aspect. Physically, the data that conforms to the hosting strategy would have to be stored within Australia.

AWS does not conform to this requirement, having told the ASD in advance that it would be offering only the same commercial service that it offers to everyone else. In the US, AWS has built an isolated service that meets all sovereignty requirements that the US Government demands.

In operational terms, too, there would appear to be an issue as personnel from outside Australia, who have no Australian security clearance, would be handling Australian data structures for both Microsoft and AWS.

And there is an added conundrum: the ATO has been using Global Switch as well, and will be ending its relationship with the company in 2020. But when it moves to AWS — as it is expected to — which uses the very same Global Switch data centre, would that conform to the requirements of the hosting strategy?

Once again, DTA was asked about this, but the agency again did not provide an answer for the record.

The government appears to be uncomfortable with foreign-owned data centres, but what would the reaction be if one of the ASD certified clouds was purchased by a Chinese consortium? Why does Australia not have sovereignty requirements for clouds like other nations? These are probably questions for the next government.

But at the moment, the party that is likely to form that next government is keeping mum. Efforts to extract an answer from Labor Shadow Minister for Human Services and the Digital Economy, Ed Husic, about the hosting strategy were unsuccessful.

Husic was asked the same question as put to the ASD and the DTA. A reply was promised, but never came.

The only takeaway from this is that there are lots of questions, a number of close-mouthed government agencies, politicians and businesses – and a lot of taxpayer money is being wasted in the process. But then isn't that the normal state of affairs in Canberra?

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments